Close this search box.

LockBit’s Back After Police Takedown


The LockBit ransomware group’s servers were taken down by law enforcement on February 19, seen by many as a significant blow to the cybercrime group’s operations. But in less than a week, they were back, this time with stronger defences and threats aimed at government bodies.

The reality is, this comeback was to be expected – shutting down a hacker group’s website is one thing, but keeping them offline is another story altogether.

Inside LockBit

LockBit operates as a cybercrime group, specialising in ransomware attacks. They offer their ransomware on a ransomware-as-a-service (RaaS) basis, allowing other criminals to use their tools for a share of the proceeds. This model has broadened their impact, making them responsible for numerous high-profile attacks across various sectors, including healthcare and government.

Their website served multiple purposes:

  • Listing victims of their ransomware attacks
  • Publishing stolen data as part of their extortion strategy
  • Acting as a platform for negotiating ransom payments
  • Advertising their ransomware-as-a-service to potential affiliates

For a closer look at LockBit and their activities, our LockBit Threat Report has all the info you need. It covers their tactics and effects, featuring a dialogue between our Incident Response manager and LockBit threat actors during a ransom negotiation.

A preview from our LockBit Threat Report - featuring a conversation where our Gridware team, representing a business we assisted, engaged with a LockBit hacker (TA, in grey) to negotiate data recovery.

LockBit’s Quick Site Recovery – No Surprise to Us

So, how did we predict they would return so quickly? LockBit coming back online shortly after a takedown isn’t surprising. Simply put, these cybercrime groups are organised and efficient. They’re well-prepared, with strong backup strategies that make sure a temporary takedown doesn’t keep them offline for long.

Impact of Operation Cronos on LockBit

LockBit mentioned that law enforcement breached two key servers, stating, “For 5 years of swimming in money I became very lazy.”

Law enforcement seized the following:

  • Key servers, including those for chats and blogs.
  • Important items like databases and encryption tools.
  • Over 1,000 decryption keys, though LockBit has more.
  • More than 200 cryptocurrency accounts allegedly owned by LockBit.

Despite two arrests, three arrest warrants and five indictments have been issues by law enforcement globally, not every member of LockBit was caught. The group now says they’ve strengthened their web security to avoid getting taken down again. They’re planning a strong comeback, especially targeting government entities.

LockBit's updated data leak site shows among its five targets, showing their focus on governmental retaliation. (Source)

LockBit’s Resilience and the Ongoing Threat of Cybercrime

Organised cybercrime groups are currently at the strongest they’ve ever been in 10 years.

  • LockBit leads as the world’s most active ransomware syndicate since 2019.
  • The ransomware market is expected to exceed $18.6 billion by 2027.
  • 74% of ransomware profits in 2021 were linked to Russian hackers.
  • LockBit alone has targeted over 2,000 victims, demanding hundreds of millions in ransom and pocketing over $120 million.

LockBit’s quick return after being taken down by the authorities shows just how powerful and determined they are. Although some of their resources were seized, it’s clear they still have plenty left. Without arresting all their members, LockBit will keep coming back, stronger each time.

What Needs to be Done for LockBit

While the takedown of LockBit’s servers and the seizure of their assets might have seemed like a big win against cybercrime, it’s important to understand that these actions were only temporary setbacks. Simply shutting down their website isn’t enough to stop them for good.

The truth is, to really put a stop to LockBit, tangible arrests are needed. Despite law enforcement’s efforts in seizing servers, encryption tools, and cryptocurrency accounts linked to LockBit, their impact has been limited. Only a few arrests have been made, and not all members of the group have been caught.

Ahmed Khanji

Ahmed Khanji

Ahmed Khanji is the CEO of Gridware, a leading cybersecurity consultancy based in Sydney, Australia. An emerging thought leader in cybersecurity, Ahmed is an Adjunct Professor at Western Sydney University and regularly contributes to cybersecurity conversations in Australia. As well as his extensive background as a security advisor to large Australian Enterprises, he is a regular keynote speaker and guest lecturer on offensive cybersecurity topics and blockchain.


Sydney Offices
Level 12, Suite 6
189 Kent Street
Sydney NSW 2000
1300 211 235

Melbourne Offices
Level 13, 114 William Street
Melbourne, VIC 3000
1300 211 235

Perth Offices
Level 32, 152 St Georges Terrace
Perth WA 6000
1300 211 235

Emergency Assistance

Under Attack?

Please fill out the form and we will respond ASAP. Alternatively, click the button to call us now.

Learn more about the team at the forefront of the Australian Cyber Security scene.

About Us →

Meet the Team →

Partnerships →

Learn more about the team at the forefront of the Australian Cyber Security scene.

Career Opportunities →

Internships →

Media appearances and contributions by Gridware and our staff.

See More →



Whether you need us to take care of security for you, respond to incidents, or provide consulting advice, we help you stay protected.

View all services →

Web App Pen. Test Calculator →

Network Pen. Test Calculator →

Governance & Audit

Legal and regulatory protection

Penetration Testing

Uncover system vulnerabilities

Remote Working & Phishing

Fortify your defenses

Cyber Security Strategy

Adaptation to evolving threats

Cloud & Infrastructure

Secure cloud computing solutions

Gridware 360

End-to-end security suite

Gridware Managed Services

Comprehensive & proactive security

Gridware CloudControl

Harness the benefits of cloud technology

Gridware Incident Response 24/7

Swift, expert-led incident resolution



A collection of our published insights, whitepapers, customer success stories and more.

Customer success stories from real Gridware customers. Find out how we have helped others stay on top of their Cyber Security.

Read More →